hxxps://cdn[.]discordapp[.]com/attachments/1132346958321827970/1133990148699328512/TechBeams_Sigma_MultiTool_1[.]4[.]exe

Analysis

max time kernel
1748s
max time network
1689s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2023 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1132346958321827970/1133990148699328512/TechBeams_Sigma_MultiTool_1.4.exe

Score

8^/10

pyinstaller

Malware Config

Signatures

Downloads MZ/PE file

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000002322c-185.dat	pyinstaller

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 515734.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2572	msedge.exe
2572	msedge.exe
460	msedge.exe
460	msedge.exe
4200	identity_helper.exe
4200	identity_helper.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 1260	460	msedge.exe	81
PID 460 wrote to memory of 1260	460	msedge.exe	81
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2188	460	msedge.exe	82
PID 460 wrote to memory of 2572	460	msedge.exe	83
PID 460 wrote to memory of 2572	460	msedge.exe	83
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84
PID 460 wrote to memory of 3540	460	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1132346958321827970/1133990148699328512/TechBeams_Sigma_MultiTool_1.4.exe
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd54b446f8,0x7ffd54b44708,0x7ffd54b44718
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4040 /prefetch:8
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3541446559247028790,16480106752469551039,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7ad9bb1054aa03e39b3554833d0c3ec

SHA1
cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9

SHA256
0c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189

SHA512
d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c91077966ee48f9f6695ae2d0515fb89

SHA1
9022f44e7cd8605a4863f43e6823c3cb51605346

SHA256
6845abb2977a823da69abbb1ba29a9272cfce8782c7707213a375adae430ab2a

SHA512
dc4a082cdbf2747b305a492227d4f945d54985d96a605f16f619f16dd73d1d88593accb1ecf27dfc658ca85c356a7f78a0c1a5c37f33fed12c570a3bbff3b012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9dae2a5c727c5ea937b25b85964720ca

SHA1
9089824dc86fed8ce6a3015730c5b20a8fa3327d

SHA256
017221b0d849b0f27f7a939f583a8fb96a0c9d5af5ea0e3c5e30e59c734107b5

SHA512
1a597d455a372f02424a8618b8f985161293f001fa58f182317236e82bb42f0da434c3343992e720853098d1132a4e869c254f675d11e3b7c9cc5f11a1497004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e62cc4051e1f8eaa0abda5d730a2496b

SHA1
d15346e40b196bc313cbfe5ac96b3c90b83345be

SHA256
ffb5b740b8777d010f0d32a120092084c3cd32eaceb937188d698ddc22df2fcb

SHA512
3e8f6d89c7c153177b2149d86cd8602ceafedf66f5335a86b19dfa46fc38c47f6ff9a272c3b71b4464a5921ebdf2461fba25692ca916b9715bac520bf1e81a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6a03c3bc0b26abf17c595e6bbe9a7bcf

SHA1
bb8824cc582753edb60ba494e0f2a1b79d099719

SHA256
b0f31acf46fa5c66f4b8ddb52cd646a1ffbb1ff8a8f9aea49925252a850f9ed5

SHA512
77d54eeccc52baefc1961d39935bc52282b04d64f60763a171cb08940cbb99e95b4ade6524dafc16550662e7d2109c3e264e8583f9c061ba324ab14b59476ede

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 515734.crdownload

Filesize
57.4MB

MD5
6a87a2732b9cdb03f0b9dadcffb74f82

SHA1
4b9e20fc588cbbde954d041834cba3cffc80b5ca

SHA256
66411236375391e404b0b5ec365fa4f60554b8c37fbfc9956b0d5c8521b03876

SHA512
1c54458992b04b7392a1d7a4a60da12703bdb73fd997daa573ec89a9bcf8cfb7aca5648a96bd54a1512511985558bb387f1df5e3423aaac357bf1a67adf04c50

Download Submit